Note: This is an archival copy of Security Sun Alert 254628 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com
as Sun Alert 1020232.1.

Security Vulnerabilities in the UFS File System Relating to ufs_getpage() and ufs_putpage() Routines May Allow a Local User to Hang or Panic the System

CategorySecurity

CategoryAvailability

Release PhaseResolved

Bug Id
6425723, 6679732, 6442712

ProductSolaris 10 Operating System
OpenSolaris

Date of Resolved Release16-Mar-2009

Several vulnerabilities in the UFS file system involving the ufs_getpage()
and ufs_putapage() routines (see below for full details)

1. Impact

Several vulnerabilities in the UFS file system involving the ufs_getpage()and ufs_putapage() routines may lead to a system hang or a system panic.The specific impact for each of the issues are as follows:

CR 6442712A local unprivileged user may be able to cause all writes to a UFSfilesystem to hang on x86 systems running OpenSolaris builds snv_39through snv_45 in 64-bit mode. This can then prevent applications andcommands from succeeding which is a type of Denial of Service (DoS). Inaddition, if the root (/) filesystem is UFS then this may lead to a systemhang which is a type of Denial of Service (DoS).

CR 6425723A local unprivileged user may be able to cause all writes to a UFSfilesystem to hang on SPARC sun4v systems running Solaris 10 with patch138888-01 or later and without patch 139483-05 or OpenSolaris buildssnv_47 through snv_85. This can then prevent applications andcommands from succeeding which is a type of Denial of Service (DoS). Inaddition, if the root (/) filesystem is UFS then this may lead to a systemhang which is a type of Denial of Service (DoS).

CR 6679732A local unprivileged user may be able to panic x86 systems runningOpenSolaris builds snv_86 through snv_91 in 32-bit mode with at least oneUFS filesystem present.

2. Contributing Factors

These issues can occur in the following releases:

when running in 64 bit mode only (CR 6442712)

x86 Platform

OpenSolaris based upon builds snv_39 through snv_44

when running on sun4v systems only (CR 6425723)

SPARC Platform

Solaris 10 with patch 138888-01 or later and without patch 139483-05

OpenSolaris based upon builds snv_47 through snv_85

when running in 32 bit mode only (CR 6679732)

x86 Platform

OpenSolaris based upon builds snv_86 through snv_91

Notes:

- OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. The base build can be derived as follows:-

$ uname -v snv_86

- Solaris 8 and 9 are not impacted by this issue. Solaris 10 on the x86 platform is not impacted by this issue.

- To determine if a system is sun4v, execute the following command.

$ uname -m sun4v

- To determine if the currently running system is running in 32-bit or 64-bit mode, the isainfo(1) command can be used as in the following example:

$ isainfo -b 64

3. Symptoms

When this issue (6442712 & 6425723) occurs, there will be a hung kernelthread with a stack similar to: